Linkerd control plane certificates are being reset #17
Assignees
Labels
bug
Something isn't working
Comments
|
As of #34 it looks like this problem was solved. I'm not too sure why, I'm not too sure how, but it's no longer happening. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It looks like the Linkerd control plane components' TLS certificates are being reset a few hours after synchronization through Argo CD. Argo is not detecting drift, but this leads to certificates that are not signed by the trust anchor.
Looking at the
MutatingWebhookConfigurationcreated for the proxy injector, it looks like the CA bundle that is copied over is for the certificate that was put in place after the Argo CD sync.openssl verifysays the certificate isn't trusted, even when the CA file is set to the trust anchor public certificate. This could be due to the trust anchor being a self-signed certificate, but it is also possible the certificate issued for these components is not signed by it.This is not breaking communication between meshed services, but once the certificate is reset to an invalid one, the mutating webhook is unable to inject
linkerd-proxyinto new Pods, so new containers cannot enter the mesh.The text was updated successfully, but these errors were encountered: